Hacking is a term that is often used to describe the acts of a computer user who trespasses on computer systems for any number of reasons. Oftentimes, these intruders hack into a system/network with the intention of launching some form of attack against the system/network. An attacker, as used herein, refers to any computer user who hacks, trespasses, or intrudes onto a computer system or network and attempts to compromise the integrity or performance of the system or network. The term attacker may also be used herein to refer to a host system or remote host through which an attack is launched (i.e. the source of harmful or potentially harmful traffic).
Attackers can be very sophisticated and difficult to detect. Most attackers operate through a remote system or even a chain of several remote systems to obscure their identity and/or location. Attackers are often very thorough and methodical in using reconnaissance to create a detailed map of a network that provides details on any network vulnerabilities.
Reconnaissance typically involves a process of gathering information, scanning the target network, and probing for weaknesses in the target network before launching an attack. In the information-gathering phase, attackers collect information about a network (e.g. a company network) in an attempt to obtain as many domain names as possible. The domain names are then used to query domain name servers (DNS servers) for network Internet Protocol (IP) addresses. This process is sometimes called footprinting. Additionally, attackers may also perform a broad sweep of a network to probe for IP addresses.
In the scanning phase, an attacker can learn which services are running on each host and which ports the services are using. Application services can be accessed from a network through a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port address.
In the final phase of reconnaissance, attackers search the target network specifically for resources such as devices and file resources in order to acquire information about network security and network vulnerabilities.
Once the reconnaissance process is complete, an attacker may launch an attack. There are many types of network attacks that can cause serious performance problems on a network. Attacks including, but not limited to, Denial of Service (DoS), Distribute DoS (DDoS), viruses, worms, polymorphic viruses, blended attacks, and Day-Zero threats can be launched against a network to disrupt configuration and routing information and physical network components. Attacks can also tie up and/or consume network bandwidth, central processing unit (CPU) time, and disk space.
One example of a DoS attack is a TCP Flood attack. In a TCP flood attack, an attacker sends a flood of TCP synchronize (SYN) packets to a target system, often with a forged source address. Each of these packets is handled like a connection request by the target system. Thus, the target device responds to the request by sending a TCP synchronize/acknowledge (SYN/ACK) packet and waits for a TCP ACK packet from the attacker (or the forged source address) to complete the connection as part of the normal TCP three-way handshake used to set up a connection. However, in a TCP flood attack, no TCP ACK packet is ever sent back to the target system to complete the connection. This causes half-open connections, which tie up the target system until the attack ends.
Another example of a DoS attack is a Smurf attack, which uses the PING (Packet Internet Grouper) utility to flood a target system with PING responses. In this case, the attacker broadcasts a PING request to an entire network. However, the attacker uses a source address in the PING request to make it appear that the request is coming from the target system's IP address. Thus, a flood of PING responses is sent to the target system, bogging down the target system.
Most networks employ some form of network security to help against many of the attacks discussed above. However, many network security systems and/or devices rely on signature-based security techniques. In other words, these security systems maintain a list of known security threats, or signatures, and can only prevent or mitigate damage based on these known security threats. One problem with signature-based security is that it is not effective in preventing or mitigating unknown security threats and Day-Zero attacks. Additionally, many of today's network security systems need to be “in-line” with the network to mitigate threats and can, therefore, end up being bottlenecks or points of failure.